[vox-tech] Question about php settings and passing form data

[ME]

Troy Arnold said:
> On Tue, Feb 04, 2003 at 10:58:17PM -0800, ME wrote:
>> Troy Arnold said:
>> > On Tue, Feb 04, 2003 at 06:06:49PM -0800, ME wrote:
>> >> Hello,
>> >>
>> >> I want to use a php redirector
>> >> header('Location: http://website.nofun/redirect.....)
>> >> and I want to pass to the page ref-ed in the URI a number of FORM
>> variables.
>> >>
>> >> However, I am meeting with little luck on this.
>> >>
>> >> If I encode the variables as part of the URL with "&" as a
>> separator, I dcan get the form data and variables that store them
>> (names) to pass through to the page.
>> >
>> > Clarifying, you *can* get the above to work as it should?
>>
>> Yes, the above is a method for passing form data within the URL. Of
>> course this is undesirable for things like passwords, and
>> authentication strings. Cookies might be better, but that assumes the
>> form can me set to use them, and I dont have access to modify that.
>
> Ahhh, so what you want is to redirect, sending your var/value pairs as
> POST data?  Without access to the destination page, any session data you
> create is useless, 'cause, 1) like I mentioned before, sess. data is not
> passed with the request and 2) the dest. page needs to know about the
> session.
>
> Now, you can probably do this by opening a socket directly.
> Something like:
>
> $vars="fname=Mike&Last=Egan";
> $s=fsockopen($host, 80);
> fputs($s, "POST /some/file.html HTTP/1.1\r\n");
> fputs($s, "host: example.com\r\n");
> fputs($s, "content-type: application/x-www-form-urlencoded\r\n");
> fputs($s, "content-length: " . strlen($vars)."\r\n");
> fputs($s, $vars); #or urlencode($vars) , not sure.

I might be a little bit dense here, but...

In this case, the server running the php code will attempt to make the
connection, right? This is not like a client is able to POST the content
in a redirect that has encoded form data. Assuming the post is made to the
ssl port, and the SSL negotiation can take place with a fsockopen (and
certs, etc.) then this could permit the POSTed data to get the remote
form, but not be useable by the client who wants to see the results.

> See the "network funcs" section of the php manual
> For an OO interface, see the HTTP/Request.php PEAR module.
> http://pear.php.net/

I'll check this out next. (Perhaps I can use the Location: with this and
find a way to convince the clients to go to the new address and take a
post of data with it.)

After plenty of googling, and searching newsgroups for people who have
posted the same question, all I have found was and answer like your first
(which appears to be a server to server connection, not a client to server
one) or the one I knew worked, but did not want to use as posted in the
first mail to this list (Location: directive with specifying multiple
items to be used as posted data in the &var=valuevar2=value format.)

Of course, I could set up a form in HTML that contains the sensitive data,
but that means the browser's cache may have a file with sensitive data in
it.

Another choice might be to set up a form with fields auto-filled in, and
ask the user to "press this button to go on" and then set meta data in the
hopes that the client respects it to refresh/blank out the fields that
were auto-filled in before.

Make the form into a single button with hidden data on the page, but then
there is the caching issue.

Of course, I coulde use the encoding method for form data within the URL
and the "&" separator, but then that can be found in some browser's
history, and can lead to a copy on the client machine/disk.

However, when looking to find a way to effectively overload the Location:
directive to redirect a user to a new location and make the redirect also
include form data the user did not originally send (effectively acting as
a wrapper or proxy to reformat data available to the PHP script, I am at a
loss.

I know I have two solutions (and variation upon them) that can make this
work for the clients, but they are just unhappy when it comes to security.
:-/

> Actually, that will probably work better, but I already typed the
> above... :)
>
>> An ideal solution would be a complement to the header directive that
>> permits me to encode arbitrary header information. If I had access to
>> this, then I could manually encode the form data through header data,
>> or perhaps a way to force certain data to pass as html FORM data.
>> However, it seems many of the low-level controls that I am familiar
>> with using are not there. Certainly, many of the more complex things
>> seem easier to code for the web in php, but the control with respect
>> to granularity is missing as a cost of this easy to use, productive
>> environment.
>
> I don't think it's all missing, you just haven't learned where to look
> yet. :)  It may be possible to accomplish this with the appropriate
> calls to header() and perhaps some output buffering.  See "Output
> Control Functions" in php manual.  Might be cajoled into working, not
> sure though.

Perl has a similar thing to what I am looking for, where you can set a
url, add a bunch of variable, and then call the URL. However, this is not
a client-based redirection, just a duplicate of the server-to-server
conntection.

I may have to face the possibility that what I want to do is presently
impossible. (I'll still check the pear link you have provided. It is
possible that I can formulate a redirection that adds (or even replaces)
new form data "on-the-fly" as the client jumps from the php page off to
another page.

>> > Also, the php function phpinfo() can be useful for debugging.
>> >
>> > Did I understand your problem correctly?  If not, please clarify.
>>
>> I'll play with phpinfo() to see if it offers me more than my present
>> solution.
>
> It will be a complement to, not a replacement for.  You'll see :) , tons
> of cool/useful stuff about the server and php setup, etc. which is not
> available through the environment or form variables.

This was a great source of information, and though it has some collisions
with the other tool I have been using, it did verify all of the previous
problems with lack of data.

Thanks for your time and suggestions!

-ME


-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html